Privacy Policy
Effective date: March 15, 2026
1. Data Controller
Bontello is a sole proprietorship (eenmanszaak) registered in the Netherlands.
- Trade name: Bontello
- KvK: 95851488
- BTW: NL005176150B40
- Email: [email protected]
2. What Data We Collect
Bontello offers both free and Pro tiers with different data handling:
- Free tier: Tools run in your browser. Data is stored locally in your browser and never sent to our servers.
- Pro tier: Your business data (clients, invoices, expenses, time entries, quotes, projects) is stored in our PostgreSQL database hosted by Supabase in the EU. Tool outputs (PDFs, images) are generated in your browser and never uploaded.
In both tiers, we do not upload, process, or store any files or content you generate with our tools (e.g. PDFs, images, QR codes) on our servers.
2.1 Pro Subscription (via Stripe)
If you purchase a Pro subscription, Stripe Inc. collects your email address and payment details. We store your email address and a pseudonymous customer identifier on our servers to provide account management and service communications (e.g. important service updates or security notices). We never see or store your full payment details — Stripe retains those as our payment processor. This data is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR). You can see your stored email on the Pro Account page.
2.2 Analytics (Vercel)
We use Vercel Analytics to understand how visitors use our site. Vercel Analytics is privacy-friendly and does not use cookies. It collects anonymized page-view data (no personal identifiers). This data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in improving our service.
2.3 Advertising (Google AdSense)
Free users may see ads served by Google AdSense. Google may place cookies on your device to show personalized ads. These cookies are only loaded after you give consent via our cookie banner (Art. 6(1)(a) GDPR). You can withdraw consent at any time through the “Cookie Settings” link in the footer.
2.4 Cloud Data Storage (Pro)
If you have an active Pro subscription, your business data (business profile, saved clients, invoice history, invoice templates, invoice settings, expenses, time entries, quotes, VAT returns, saved services, favorite tools, and tool usage history) is stored in our PostgreSQL database hosted by Supabase (EU data region, eu-west-1). This data is encrypted in transit (TLS) and at rest, and associated with your authenticated user account.
Cloud data storage is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR) as part of the Pro subscription service. You can export all your data at any time using the “Download My Data” button on the Pro Account page.
3. Cookies
| Category | Cookie | Purpose | Consent |
|---|---|---|---|
| Necessary | sb-*-auth-token | Maintains your authenticated session (Supabase Auth) | Not required |
| Necessary | cookie_consent | Stores your cookie preferences | Not required |
| Advertising | Google AdSense cookies | Personalized advertisements | Required |
4. Third-Party Processors
- Stripe Inc. (USA) — payment processing. Privacy policy: stripe.com/privacy
- Google LLC (USA) — advertising (AdSense). Privacy policy: policies.google.com/privacy
- Vercel Inc. (USA) — hosting and analytics. Privacy policy: vercel.com/legal/privacy-policy
- Upstash Inc. (USA) — Redis cache for analytics and rate limiting. No personal data stored. Privacy policy: upstash.com/trust/privacy
- Supabase Inc. (Singapore HQ, EU data region) — database hosting and authentication for Pro users. Data stored in eu-west-1. Privacy policy: supabase.com/privacy
- Cloudflare Inc. (USA) — DNS and CDN. Privacy policy: cloudflare.com/privacypolicy
- GitHub Inc. (USA) — source code hosting and CI/CD. No user data stored. Privacy policy: docs.github.com/en/site-policy/privacy-policies
Transfers to the USA are covered by these providers’ EU Standard Contractual Clauses and/or EU-U.S. Data Privacy Framework certifications.
5. Data Retention
- Stripe data: retained for the duration of your subscription plus the legally required retention period for financial records (7 years under Dutch law).
- Email address: stored for the duration of your Pro subscription. Deleted when your subscription ends, unless you have opted in to service communications.
- Authentication session: Supabase auth cookies expire when you log out or when the session token expires.
- Cloud-stored data: stored for the duration of your Pro subscription. After cancellation, your data is retained for 90 days to allow recovery. After 90 days, it is automatically and permanently deleted. You can download your data at any time during this period using the “Download My Data” button on the Pro Account page.
- Cookie consent preference: stored in your browser until you clear your data or change your preference.
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
Self-service options: You can delete your account and all associated data at any time from the Pro Account page (Danger Zone section). You can also download a copy of all your data using the “Download My Data” button on the same page, fulfilling your right to data portability (Art. 20).
To exercise any other rights, or if you prefer assistance, email us at [email protected]. We will respond within 30 days.
7. Complaints
If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.